_
___ _ __ | | __
/ __| '_ \| |/ /
\__ \ |_) | <
|___/ .__/|_|\_\
|_|
made with <3
spk aka spritzgebaeck: A small OSINT/Recon tool to find CIDRs that belong to a specific organization.
go install github.com/dhn/spk@latest
Usage of spk:
-json
Print results as JSON
-s string
Organization to find CIDRs for
-silent
Show only results in output
-version
Show version of spritzgebaeck
spritzgebaeck can be used to find CIDRs for a given organization. In this example for "TUI GmbH":
$ spk -silent -json -s "TUI GmbH"
{"cidr":"213.61.68.136/29","source":"ripe"}
{"cidr":"62.48.80.0/24","source":"ripe"}
{"cidr":"212.41.250.144/28","source":"ripe"}
{"cidr":"213.83.48.0/25","source":"ripe"}
{"cidr":"212.28.43.40/29","source":"ripe"}
{"cidr":"62.48.72.0/25","source":"ripe"}
{"cidr":"195.127.10.240/29","source":"ripe"}
{"cidr":"213.83.48.128/25","source":"ripe"}
{"cidr":"62.48.72.128/27","source":"ripe"}
{"cidr":"62.48.75.0/24","source":"ripe"}
{"cidr":"80.228.3.160/27","source":"ripe"}
{"cidr":"80.77.212.144/29","source":"ripe"}
{"cidr":"82.98.69.192/27","source":"ripe"}
{"cidr":"82.98.120.0/26","source":"ripe"}
{"cidr":"82.98.66.160/27","source":"ripe"}
{"cidr":"82.98.120.68/30","source":"ripe"}
{"cidr":"62.48.90.0/24","source":"ripe"}
{"cidr":"81.7.221.96/29","source":"ripe"}
{"cidr":"80.77.212.192/27","source":"ripe"}
{"cidr":"82.98.105.32/27","source":"ripe"}
{"cidr":"82.98.69.40/29","source":"ripe"}
{"cidr":"82.98.69.48/28","source":"ripe"}
{"cidr":"87.128.173.24/29","source":"ripe"}
{"cidr":"82.98.80.168/29","source":"ripe"}
{"cidr":"82.98.74.0/29","source":"ripe"}
{"cidr":"82.98.69.224/29","source":"ripe"}
{"cidr":"87.234.207.136/32","source":"ripe"}
{"cidr":"82.98.80.192/26","source":"ripe"}
{"cidr":"83.236.170.43/32","source":"ripe"}
{"cidr":"83.64.171.164/30","source":"ripe"}
{"cidr":"82.98.80.0/25","source":"ripe"}
{"cidr":"93.122.105.64/28","source":"ripe"}
{"cidr":"92.198.37.66/32","source":"ripe"}
{"cidr":"91.133.76.64/29","source":"ripe"}
{"cidr":"88.116.122.128/30","source":"ripe"}
{"cidr":"91.114.29.120/29","source":"ripe"}
{"cidr":"91.25.84.200/29","source":"ripe"}
Use spk
to find a specific netrange + get more information through whois
:
$ spk -silent -s "TUI GmbH" | xargs -I"{}" whois "{}"
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf
% Note: this output has been filtered.
% To receive output for a database update, use the "-B" flag.
% Information related to '213.61.68.136 - 213.61.68.143'
% Abuse contact for '213.61.68.136 - 213.61.68.143' is 'abuse@colt.net'
inetnum: 213.61.68.136 - 213.61.68.143
netname: NET-DE-TUI-CRUISES-GMBH
descr: TUI CRUISES GMBH
country: DE
admin-c: JO3608-RIPE
tech-c: JO3608-RIPE
status: ASSIGNED PA
mnt-by: DE-COLT-MNT
created: 2015-06-05T11:18:06Z
last-modified: 2015-06-05T11:18:06Z
source: RIPE
person: JENS OETZEL
address: TUI CRUISES GMBH
address: BOUCHESTRASSE 12
address: BERLIN, 12435, Germany
phone: +49 40 600015380
nic-hdl: JO3608-RIPE
mnt-by: DE-COLT-MNT
created: 2015-06-05T11:18:06Z
last-modified: 2015-06-05T11:18:06Z
source: RIPE
% Information related to '213.61.0.0/16AS8220'
route: 213.61.0.0/16
descr: COLT-DE
origin: AS8220
mnt-by: DE-COLT-MNT
mnt-by: MNT-COLT-SB
created: 2002-06-25T14:35:40Z
last-modified: 2022-07-12T15:01:06Z
source: RIPE
% This query was served by the RIPE Database Query Service version 1.103 (WAGYU)
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf
% Note: this output has been filtered.
% To receive output for a database update, use the "-B" flag.
% Information related to '62.48.80.0 - 62.48.80.255'
% Abuse contact for '62.48.80.0 - 62.48.80.255' is 'abuse@net.de'
inetnum: 62.48.80.0 - 62.48.80.255
netname: TUI-INFO-TEC
descr: TUI InfoTec GmbH
descr: Karl-Wiechert-Allee 4
descr: 30625 Hannover
country: DE
admin-c: CK2233-RIPE
tech-c: CK2233-RIPE
status: ASSIGNED PA
remarks:
mnt-by: IPH-MNT
mnt-lower: IPH-MNT
mnt-routes: IPH-MNT
created: 2016-06-15T12:48:44Z
last-modified: 2016-06-15T12:48:44Z
source: RIPE # Filtered
person: Christian Kinzel
address: TUI InfoTec GmbH
address: Karl-Wiechert-Allee 4
address: 30625 Hannover
address: Germany
phone: +49 511 567-5148
fax-no: +49 511 567-935148
nic-hdl: CK2233-RIPE
mnt-by: IPH-MNT
created: 2011-10-12T15:11:35Z
last-modified: 2015-03-09T10:11:56Z
source: RIPE # Filtered
% Information related to '62.48.64.0/19AS15743'
route: 62.48.64.0/19
descr: DE-IPH-20000621
origin: AS15743
mnt-by: IPH-MNT
created: 1970-01-01T00:00:00Z
last-modified: 2001-09-22T09:33:44Z
source: RIPE
[...]
Let's use spk
and dnsx
[1] to find domains within the netranges:
$ spk -silent -s "TUI GmbH" | dnsx -silent -ptr -resp-only | grep tui
tuicrew-zqw-gw.zweibruecken.transkom.net
tuicrew-zqw-vpn.zweibruecken.transkom.net
kibana.tui-deutschland.plusline.de
itest-dhub-tui-deutschland.plusline.de
ctest.tui-uk.plusline.net
itest.tui-deutschland.plusline.de
ctest.tui-deutschland.plusline.de
ctest-dhub.tui-deutschland.plusline.de
webmail.tui.de
mail1.tui.de
tui-genius.tui.com
expiclub-bonussystem.tui.de
karatweb.tui.de
verkauf.tui.de
maritz.tui.de
mail.tui.de
auth.tui.de
webmail.tui.de
reservation-relay.tui.de
tlt.tui.de
products.tui.de
mail2.tui.de
abis.tui.com
www.tui.de
lanzarote.tui.com
ftp.tui.de
www.telis.tui.de
www.tui-personal.com
win1rob1.tui.de
www.tui-family.de
admin.tui.de
iriscms.tui.de
webtas.tui.com
tracetest.tui.com
www.tui-airlines.com
infotec.tui.de
mail.tuigroup.com
mailrelay.tuies.net
irisplus-internet.tui.de
mail.tui.de
one.tui.de
srv229.tui.de
tufis.tui.de
fisp.tui.de
meinschiff1.tuicruises.com
iasd.tui.de
meinschiff2.tuicruises.com
meinschiff.tuicruises.com
tui-blue.com
b-slave.tuicruises.plusline.de
dhub.tui-deutschland.plusline.de
prod.tui-deutschland.plusline.de
prod.tui-uk.plusline.net
Another use case could be to concat dnsx
, subfinder
[2] and unfurl
[3] to find subdomains within the netrange:
$ spk -silent -s "TUI GmbH" | dnsx -silent -ptr -resp-only | unfurl format %r.%t | sort -u | grep -i tui \
| subfinder -silent -json -o output_subdomains.json
{"host":"www.tui-airlines.com","input":"tui-airlines.com","source":"riddler"}
{"host":"mail1.tui-airlines.com","input":"tui-airlines.com","source":"hackertarget"}
{"host":"timsconverter-stg-aws.es.tui.com","input":"tui.com","source":"alienvault"}
{"host":"webhookhub-invoicing.es.tui.com","input":"tui.com","source":"alienvault"}
{"host":"booking-in.lte.tui.com","input":"tui.com","source":"crtsh"}
{"host":"de-l13-eepool04-ws.tui.com","input":"tui.com","source":"crtsh"}
[...]
spk leverages multiple open APIs, it is developed for individuals to help them for research or internal work. If you wish to incorporate this tool into a commercial offering or purposes, you must agree to the Terms of the leveraged services:
You expressly understand and agree that spk (creators and contributors) shall not be liable for any damages or losses resulting from your use of this tool or third-party products that use it.
Creators aren't in charge of any and have/has no responsibility for any kind of:
This disclaimer was shameless stolen from: https://github.com/projectdiscovery/subfinder/blob/master/DISCLAIMER.md
Spritzgebäck means spritz cookies in German.